The Egyptian Parliament has adopted a new privacy protection law. The new law will apply to companies established in Egypt and to companies that are established outside of Egypt but that process personal information of individuals in Egypt.
The law provides that the collection and processing of personal information of individuals in Egypt are permitted only subject to their consent and that data subjects shall have the right to withdraw their consent at any time. Controllers and processors will be required to take technical measures to secure personal data and prevent disclosure of data to third parties unless permitted by law. The law also restricts the transfer of personal data out of Egypt and requires controllers and processors to obtain a license from the Information Protection Center for such a transfer. Additionally, processors are required to process the data only for the purposes for which it was collected, for the minimum necessary period according to the purposes for which it was collected. They also are required to maintain a record of their processing activities.
The law further requires that controllers and processors report a security incident to the relevant authorities within 72 hours and inform data subjects about any security incident relating to their personal data.
In addition, the law regulates direct marketing communications and provides that entities desiring to use personal data for direct marketing purposes must obtain a license from the Information Protection Center, obtain the consent of data subjects and keep a record of such consent for three years.
The law will enter into force on October 16, 2020. Its implementing regulations are expected to be published six months thereafter. Violation of the law may attract criminal liability for the violating entity as well as on senior members of the violating entity responsible for the protection of personal information.
CLICK HERE to read the new Egyptian privacy protection law (in Arabic and English translation).